[OR] [P2] [S1] [CBS] [C3] Complying with Regulatory and Standards

Chapter 3

Complying with Regulatory and Standards

Introduction

The identification of Critical Business Services (CBS) is not merely a methodological exercise—it is a regulatory expectation and a central pillar of modern Operational Resilience (OR) frameworks.

Financial regulators and international standards bodies increasingly require organisations to adopt a service-centric, outcome-driven approach to resilience, with CBS forming the foundation for all subsequent resilience activities.

Evolution of Regulatory Expectations

Historically, resilience was addressed through Business Continuity Management (BCM), focusing on:

• Recovery Time Objectives (RTOs)
• Recovery Point Objectives (RPOs)
• Process-level continuity planning

While effective for operational recovery, this approach often emphasised internal restoration rather than external impact.

Regulators have since evolved their expectations toward:

• Customer-centric outcomes
• End-to-end service continuity
• Tolerance for disruption, rather than simply recovery speed

This shift reflects lessons learned from financial crises, cyber incidents, and large-scale operational disruptions, where restoring systems alone did not guarantee acceptable customer outcomes.

Key Regulatory Themes Across Jurisdictions

Although terminology may vary, global regulators share several common principles regarding CBS:

1. Focus on Critical Business Services

Organisations must:

• Identify the services that are most important to customers and markets
• Prioritise these services for resilience planning

2. Impact Tolerance

• Define the maximum acceptable level of disruption for each CBS
• Consider metrics such as duration, volume, and customer impact

3. End-to-End Mapping

• Map the full delivery chain of each CBS:
• People
• Processes
• Technology
• Facilities
• Third-party providers

4. Severe but Plausible Scenarios

• Test CBS against extreme yet realistic disruption scenarios
• Evaluate the organisation’s ability to remain within defined tolerances

5. Continuous Improvement

• Regularly review and refine CBS identification
• Integrate lessons learned from incidents and testing

Alignment with International Standards

While Operational Resilience is driven largely by regulators, it builds upon established international standards.

Business Continuity Foundation

ISO 22301 provides the foundation for:

• Business Impact Analysis (BIA)
• Continuity strategies
• Plan development and testing

However, ISO 22301 is primarily process-oriented, focusing on restoring operations rather than explicitly defining critical services.

Crisis Management Integration

ISO 22361 complements this by emphasising:

• Decision-making under disruption
• Leadership coordination
• Managing consequences and stakeholder communication

Together, these standards support CBS identification by:

• Providing structured analysis techniques (ISO 22301)
• Ensuring effective response during disruption (ISO 22361)

Regulatory Approaches in Practice

Different regulators have adopted Operational Resilience frameworks that explicitly require CBS identification:

Monetary Authority of Singapore (MAS)

• Emphasises critical system identification and service resilience
• Requires financial institutions to ensure the availability of critical services under adverse conditions
• Strong focus on technology risk management and third-party dependencies

Bangko Sentral ng Pilipinas (BSP)

• Through Circular No. 1203 (Operational Resilience Guidelines), institutions must:
• Identify Critical Operations
• Define impact tolerances
• Conduct mapping and scenario testing

Bank Negara Malaysia (BNM)

• Highlights critical business services within its BCM and resilience guidelines
• Focuses on:
• Customer impact
• Financial system stability
• End-to-end service delivery

Despite differences in terminology (e.g., “critical” vs “important”), the underlying expectation is consistent:

Organisations must identify and protect the services that matter most to customers and the financial system.

Bridging BCM and Operational Resilience

A key challenge for many organisations is transitioning from traditional BCM to Operational Resilience.

CBS identification acts as the bridge between these two approaches by:

• Translating process-level insights into service-level priorities
• Aligning continuity planning with real-world impact
• Enabling more meaningful scenario testing and investment decisions

Implications for Organisations

The regulatory emphasis on CBS has several practical implications:

• Board and Senior Management Accountability
  
  Leadership must understand and approve the list of CBS
  
  
• Cross-Functional Collaboration
  
  CBS identification requires input from:
• Business units
• Risk management
• IT and operations

• Integration with Risk Frameworks
  
  CBS must be embedded into:
• Enterprise Risk Management (ERM)
• Third-party risk management
• Technology and cyber resilience

• Documentation and Auditability
  
  Regulators expect:
• Clear rationale for CBS selection
• Evidence of review and validation
• Alignment with resilience testing

Key Takeaways

• CBS identification is a regulatory expectation, not optional
• Global regulators share a consistent focus on customer outcomes and service continuity
• International standards such as ISO 22301 and ISO 22361 provide foundational support
• Organisations must shift from process recovery to service resilience
• CBS forms the foundation for impact tolerance, mapping, and scenario testing

 

C1	C2	C3	C4	C5	C6
C7	C8	C9	C10	C11

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.